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1.  Summary 

This  paper  describes  the  working  mechanism  of  IMMUNE  DRIVER.  This  system  uses  the 
functions  that  are  regularly  not  used  function  by  IA32  process  which  maintains  the  highest 
market  share  at  present  to  interrupt  program  when  buffer  overflow  generated  by  virus 
program. 

2.  Mandatory  Environment 

CPU:  Intel  Pentium  Pro  or  higher  processor 

*IA'32  Processor  with  processor  instruction  trace 
OS:  Microsoft  Windows  2000  SPO 

Development  environment  for  IMUUNE  system: 

Microsoft  Visual  Studio  6.0  SP4 
Compuware  DriverStudio  2.7  or  later 


3.  Structure 

The  following  is  the  sketch  of  this  system 


Fig. 3D  Sketch  of  the  system 
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4.  Mechanism 

4.1.  Brief  Flowing  Chart 

This  system  consists  of  five  parts:  [Initialization],  [Process  detection],  [Event  registration], 
[Instruction  trace],  and  [Process  termination]. 


Branch  instruction  processing 


i 


Fig.  41  Brief  flowing  chart  of  IMMUNE  DRIVER 

( 1 )  Initialization 

The  process  works  on  the  starting  of  IMMUNE  driver. 


SciencePark  Corporation 


(  2  )  Process  detection 

The  preparatory  works  of  detection  the  buffer  overflow  before  the  target  process  generated. 

(  3  )  Registration  of  branch  instruction  trace  event 

Right  after  the  target  process  generated,  the  virus  execute  buffer  overflow  code  by  branch 
instruction.  That  is  why  the  events  of  branch  instruction  should  be  monitored,  of  which  only 
the  buffer  overflow  caused  by  the  instruction  of  CALL/RET/RETxx  are  to  he  detected. 

(  4  )  I  nst  ruction  trace 

When  the  registered  event  occurs,  the  following  methods  are  to  he  executed  depending  on 
the  branch  instruction. 

(D  CALL  instruction  processing:  Storing  the  return  address  of  CALL  instruction  in  our  stack 
recorder. 

©  RET  instruction  processing:  Compare  the  return  addresses  in  slack  recorder  with  the 
current,  return  addresses  when  CALL  instruction  executed.  If  they  are  not,  match,  it,  is 
considered  that  the  return  address  was  changed  illegally.  This  is  regarded  as  buffer 
overflow,  which  will  forcefully  terminate  the  process. 

(  5  )  Process  termination 

The  process  that  caused  buffer  overflow  is  terminated  forcibly. 
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4.2.  Initial  processing 

Flow  chart  of  ini  tialization 


Fig.  4-2  Initial  processing 


( 1 )  Set  process  name  (by  initial  parameter) 

Specify  the  process  name  of  monitored  buffer  overflow  from  registry. 

(  2  )  Register  a  process  generation  callback  function 

To  register  a  process  generation  callback  function,  call  the  PsSetLoadlmageNotifyRoutineO 
function  provided  by  Windows. 

Prototype  of  callback  function  is  defined  as  following 
void  LoadImageNotifyRoutine( 

P  UNI  C0DE_ST  RING  FulllmageName, 

HANDLE  Proeessld, 

PIMAGEJNFO  Imagelnfo 

) 
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(  3  )  Initialize  Stack  recorder 

It  gives  a  room  and  is  initialized  in  the  stack  recorder.  The  stack  recorder  is  a  buffer  used  to 
trace  the  branch  instruction  while  target  process  executes.  Also.  it.  dynamically  gives  a  room  in 
stack  recorder  whenever  sub  thread  of  the  specified  process  is  generated.  The  stack  recorder 
structure  is  defined  as 


typedef  struct  _ASO_STACK_LIST{ 
LISTJENTRY  mJJstEntry; 

ULONG  Threadld; 

ULONG  *StackPointer; 

LONG  CurrentStackLocation; 

}  ASO_STACK_LIST,  *PASO_STACK_L!ST; 


( 4  )  Register  thread  creation  event,  hooking  (suitable  for  multiple  threads) 

It  is  to  hook  kernel  API  called  Nt Great, eThread  when  the  sub  thread  is  being  generated.  For 
hooking  NtCreat, eThrearl,  entry  point,  of  Int.2E  interrupt  handler  is  replaced  with  IMMUNE 
system. 

IBTR  idtr; 

PIDTENTRY  Oldt; 

PIDTENTRY  Nldt; 

_ asm  SIDT  idtr; 

Oldt  =  (PIDTENTRY)MAKELONG(idtr.LowlDTbase,  idtr.HilDTbase); 
gOldlNT2EH__Handler  =  MAKELONG(Oldt[IGATE2E].Offsetlow,  Oldt[lGATE2E].OffsetHigh); 

Nldt  -  &(Oldt[IGATE2E]); 

_ asm  { 

CLI 

LEA  EAX,  ASOJHook_INT2EH 
MOVEBX,  Nldt; 

MOV  [EE3X],  AX 
SHR  EAX,  16 
MOV  [EE3X+6],  AX; 

LIDT  idtr 
STI 

} 
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4.3.  Detection  of  process  generation  events 

Monitoring  starts  at  the  beginning  of  process  execution  right  after  being  generated.  The  target 
process  events  are  got  through  the  following  chart,: 


Fig.  4-3  Detection  of  process  generation  event 


CD  Detection  of  process  generation 

The  LoadlmageNotifyRoutine  is  called  when  any  process  generates.  The  function  of 
LoadlmageNotifyRoutine  is  as  following 


©  To  dot  ermine  a  target  process 

The  FullImageName  (one  of  the  arguments  of  LoadlmageNotifyRoutine)  is  used  to  distinguish 
the  target  process's  module  name.  If  it  is  believed  to  be  the  target  process,  the  process  will  go  as 
shown  in  (3). 
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(3)  To  obtain  the  process  starting  address 

It  gets  the  program  starting  address  by  EXE  header  the  program  file.  It  takes  the  following 
codes  to  get  the  program  starting  address. 


PVOID  ImageBase  =  (PVOID)lmagelnfo->lrnageBase; 

MZ_HEADER  *mz_Header=  (MZ_HEADER  *)lmageBase; 

MZ_NE  *mz_ne  =  (MZ_NE  *)((char  *)lmageBase  +  sizeof(MZ_HEADER)); 
IMAGE_NT_HEADERS  *lmageNtHeaders  = 

(IMAGE_NT_HEADERS  *)((char  *)lmageBase  +  mz_ne->ne_header); 
char  *EntryPoint  = 

(char  *)((ULONG)lmagelnfo->lmageBase+ 
lmageNtHeaders->OptionalHeader.AddressOfEntryPoint); 
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®  So!  tin”  the  detection  of  process  execution  starting 

Setting  a  hardware  break  point  in  the  process  starting  address  got  in  above  mentioned  (3).  Call 
t  he  trace  callback  function  (ASO_  IIookJNTOl  I  I)  when  the  process  starts.  The  following  codes 
are  used  for  the  registration 


MOV  EAX.  KickStartAddress  //  Process  start  address 
MOV  DRO.  EAX 


MOV  EAX,  DR7 
OR  EAX,  0x00000000; 
OR  EAX,  0x00000000: 
OR  EAX,  0x00000200; 
OR  EAX.  0x00000002: 
MOV  DR7,  EAX; 


II  Set  LENO  =  00  (lByte  Length) 

//  Set  R/WO  =  00  (On  Execution  Only) 
II  Set  GE 
II  Enable  GO 
II  Set  DR7 
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(5)  Setting  the  execution  break  point 

To  set  hardware  break  point  in  execution  entry  point  to  be  able  to  begin  the  trace  as  soon  as  the 
program  starts.  Call  the  INTO!  handler  when  break  point  is  hit  during  the  execution  of  entry 
point. 

The  following  codes  are  used  for  the  registration 


MOV  EAX,  KickStartAddress  //  Entry  Point  (mainO  address) 
MOV  DRO,  EAX 


MOV  EAX,  DR7 


OR  EAX,  0x00000000; 
OR  EAX,  0x00000000; 
OR  EAX,  0x00000200: 
OR  EAX,  0x00000002: 
MOV  DR7,  EAX: 


//  Set  LENO  =  00  (iByte  Length) 

II  Set  E/WO  =  00  (On  Execution  Only) 
//  Set  GE 
II  Enable  GO 
II  Set  DR7 


11 


SciencePark  Corporation 


©  Registration  of  branch  instruction  handler 

To  register  the  trace  callback  function  (ASOJlook . INTOlH)  ,  Replace  the  IDTGntorrupt. 

Descriptor  Table)  of  01H. 

The  following  codes  are  used  for  the  registration 


IDTR  idtr; 
PIDTENTRY  Oldt; 
PIDTENTRY  Nldt; 


_ asm{ 

SIDT  idtr; 

} 

Oldt  =  (PIDTENTRY)MAKELONG(idtr.LowlDTbase,  idtr.HilDTbase); 

gOldINTOI H_Handler=  MAKELONG(Oldt[IGATE01].OffsetLow,  Oldt[IGATE01].OffsetHigh); 

Nldt  =  &(Oldt[IGATE01]); 

_ asm{ 

LEA  EAX,  ASO_Hook_INT01  H//  INT01  Hook  function 
MOV  EBX,  Nldt; 

MOV  [EBX],  AX 
SHR  EAX,  16 
MOV  [EBX+6],  AX; 

LIDT  idtr 


} 

©  Saving  of  process  ID 

When  starting,  the  process  gets  an  ID  from  Windows.  The  ID  is  saved  to  distinguish  the  target 
process  when  the  event  occurred  by  I  A- 32  branch  instruction. 
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4.4.  Starting  of  tracing 

When  entry  point  of  program  is  run,  the  INTO]  handler  is  called  by  pre-set  break  point.  From  this 

moment,  trace  function  turns  active 

The  following  codes  are  used  for  enabling  trace  function. 


MOV  FAX,  DR6; 


II  Get  DR6  Register  Value 


//  Check  MemoryBreakO  Flag 

TEST  EAX,  0x00000001  //  Check  MemoryBreakO  bit 

JNZ  M EMORY JB REAKJBPO 


MEMORY  BREAK  ,BP(): 

MOV  EAX,  DRO 

MOV  gBreakAddress,  EAX 


XOR  EAX,  EAX 
MOV  DRO,  EAX 


MOV  EAX,  DR7 

AND  EAX,  OxFFFFFFFD;  //  Disable  GO 

MOV  DR7,  EAX 

MOV  EAX,  DR6 

AND  EAX,  OxFFFFFFFE  //  Disable  BO 

MOV  DR6,  EAX 


-IMP  MEMORY  BREAK  COMMON 
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4.5.  Branch  instruction  process 


When  the  branch  instruction  is  hit,  it  is  to  be  processed  as  below: 


Fig.  4-4 
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Trace 

c 

start, 

) 

7 _ 

Clear  a  trace  (lag  of  DR6 

7 

Get  Last  Branch  Fromlp  (MSR=0x01  DB) 

To  CALL  process 


To  CALL  or  JMP  process 


To  CALL  process 


To  RET  process 


To  RET  process 
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To  CALL  process 


To  CALL  process 


To  JMP  ESP  process 
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During  the  branch  instruction  are  executing  in  process,  ASOJHook  JNT01H  is  called.  Only  the 
instruction  of  CALL  and  RET  that  are  necessary  for  IMMUNE  system  in  handler  distinguish 
according  the  following  codes. 


//  DR6  <-  0x00000000 
MOV  EAX,  DR6 
AND  EAX,  OxFFFFBFFF 
MOV  DR6,  EAX 

//  EDXtEAX  <-  LastBranchFromlp 

MOV  ECX.  0x000001  DB:  // MSR  =  OxOlDB(LastBranchFromlp) 
RDMSR; 

PUSH  ES 
MOV  BX.  0x001  B 
MOV  ES,  BX 
MOV  EDX,  EAX 
MOV  EAX,  ES:[EAXJ 
POP  ES 

II 

II  Branch  on  Instruction  type 
II 

CMP  AL,  OxEB  //  Relative  near  call 

JZ CALL  FOUND 

CMP  AL,  OxFF  //  Direct  near/far  call 

JZ  CALLORJMP_FOUND 
CMP  AL,  0x9A  //  Direct  far  call 

JZ  CALL_FOUND 

//  near  RET 

II  far  RET 

II  near  RET  with  POP 
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CM  PAL,  0xC3 
JZ  RET_FOUND 
CMP  AL,  OxCB 
JZ  RET_FOUND 
CMP  AL,  0xC2 
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JZ  RETN. . FOUND 

CMP  AL,  OxCA  //  far  RET  with  POP 

JZ  RETNJFOUND 

IMP  CALL  NOTFOUND 

CALLORJMPJFOUND  • 

TEST  AH,  0x10  //CALL/2 

JNZ  CALL_FOUND 

TEST  AH,  0x18  //CALL/3 

JNZ  CALL_FOUND 

CMP  AH,  0xE4  II JMP  ESP 

JZ  JMPESP.  FOUND 

JMP  CALL_NOTFOUND 
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4.6.  In  the  case  of  CALL  instruction  executes 

When  execution  of  CALL  instruction  is  detected  in  target  process,  the  return  addresses  are  saved  in 
stack  recorder  according  to  the  following  flow  chart 
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(T)  When  CALL  instruction  is  executed,  the  original  return  address  stored  in  stack  area  is  got 
according  the  following  codes. 


CAlL_FOUND: 

PUSH  ES 

//  Get  Stack  segment  (CS) 

MOV  ECX,  EBP 

ADD  ECX,  +  4  +  4  +  4  +  4  +  4 

MOV  EAX,  [ECX] 

MOV  ES,  AX 
//  Get  Stack  pointer 
MOV  ECX,  EBP 
ADD  ECX,  +  4  4*4  +  4 

LES  EDX,  [ECX]  //  Now  EDX  point  to  Stack  Address 

//  Get  RetIP 
MOV  ECX,  EDX 

MOV  AX,  0x001  B  // User  mode  only 

MOV  ES,  AX  II 

MOV  EDX,  ES:[ECX]  //  Retrieve  RetIP  on  Stack 

II 

//  Now  EDX  point  to  RetIP  on  Stack 
// 

POP  ES 
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(2)  The  return  address  got  from  (l)  is  stored  in  stack  recorder  inside  the  IMMUNE  system. 
I  t  is  to  be  processed  as  following: 


KeRaiselrql(HIGH__LEVEL,  &Oldlrql); 

PASO_STACK_LIST  StackList  =  (PASO_STACK_LIST)gStackList[Threadld]; 
if  (StackList  ==  0){ 

//  Error 

}else  if  (StackList->CurrentStackLocation  >  STACK_LIMIT){ 

StackList  =  NULL; 

}else  if  (StackList->CurrentStackLocation  >=  0){ 

StackList->StackPointer[StackList->CurrentStackLocation]  =  ExpectedRetlp; 
StackList->CurrentStackLocation  ++; 

} 

KeLowerlrql(Oldlrql); 


(3)  Reset  the  instruction  trace.  Because  the  instruction  trace  setting  is  effective  until  the  branch 
instruction  is  detected. 
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4.7.  In  the  case  of  RET  instruction  executes 

When  execution  of  RET  instruction  is  detected  in  target  process,  it  is  to  follow  the  chart  below  to 
check  the  over  How. 
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(D  When  RET  instruction  is  executed,  the  real  return  address  stored  in  stack  area  is  got  according 
the  following  codes. 


RET_FOUND: 

PUSH  ES 

//  Get  Stack  segment  (SS) 
MOV  ECX,  EBP 
ADD  ECX,  +  4  +  4  +  4  +  4  +  4 
MOV  EAX,  [ECX] 

MOV  ES,  AX 


//  Get  Stack  pointer 
MOV  ECX,  EBP 
ADD  ECX,  +  4  +  4  +  4  +  4 
MOV  EAX,  [ECX] 

LES  EDX,  [ECX]  //  Now  EDX  point  to  Stack  Address 

SUB  EDX,  +4  //  Back  4Bytes  from  Current  Stack  Address 

MOV  ECX,  EDX 

MOV  AX,  0x001  B 
MOV  ES,  AX 
MOV  EDX,  ES:[ECX] 
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(2)  The  real  return  address  in  stack  area  and  the  original  return  address  stored  during  call 
instruction  executes  are  compared 


KeRaiselrql(HIGH__LEVEL,  &Oldlrql); 

PASO_STACK_LIST  StackList  =  (PASO_STACK_LIST)gStackList[Threadld]; 
if  (StackList  ==  0){ 

//  Stack  not  found 

}else  if  (StackList->CurrentStackLocation  >  0){ 

StackList->CurrentStackLocation  — ; 

ULONG  ExpectedRetlp 

=  StackList->StackPointer[StackList->CurrentStackLocation]; 
StackList->StackPointer[StackList->CurrentStackLocation]  =  0; 
if  (ExpectedRetlp  !=  Tolp){ 

LONG  i; 

BOOLEAN  StackFound  =  FALSE; 
for  (i  =  StackList->CurrentStackLocation;  i  >=  0;  i  --){ 
if  (StackList->StackPointer[i)  ==  Tolp){ 

LONG  j; 

for  (j  =  i;  j  <=  StackList->CurrentStackLocation;  ]++){ 
StackList->StackPointer[j]  =  0; 

} 

StackList->CurrentStackLocation  =  i; 

StackFound  =  TRUE; 
break; 


} 

} 

if  (!StackFound){ 

//  Not  found 

Terminate_VirusCode(Fromlp,  Tolp,  ExpectedRetlp); 

} 

} 

}else{ 

DbgPrint{"  Illegal  Stack  Location¥n"); 

} 

KeLowerlrql(Oldlrql); 


_ _  |  ;  _ SciencePark  Corporation 


(3)  Wlien  the  return  addresses  are  identical,  it  is  believed  to  be  the  normal  process  and  this  process 
is  finished.  When  the  addresses  are  not  identical,  it  is  believed  that  overflow  occurs.  That  is 
when  the  process  of  termination  described  in  4.7(Terminate  VirusCode)  will  be  executed. 


©  Reset  the  instruction  trace. 
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4.8.  Force  process  termination 

(D  The  process  will  be  forcefully  terminated  by  the  hidden  illegal  codes  in  executed  instruction 
address  (real  return  address)  according  to  RET  instruction. 


void _ stdcall  Terminate_VirusCode(ULONG  Fromlp,  ULONG  Tolp) 

{ 

IsDetected  =  TRUE; 

//  Rewrite  Fromlp(Next  instruction  of  JMP  ESP)  to  INT3 
_ asm{ 

PUSH  EAX 
PUSH  EDX 

MOVAL,  OxCC  //  1NT  3 

MOV  EDX,  Fromlp 
MOV  SS:[EDX],  AL 

POP  EDX 
POP  EAX 

} 

} 
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4.9.  To  set  a  hook  of  thread  generating  events 

The  sub  thread  is  under  monitoring  as  soon  as  it  is  created  by  target  process.  So,  the  system  is  able 
to  catch  the  event  generated  by  sub  thread. 


The  API  Create thxeadO  is  hooked  when  target  thread  is  generated.  Whenever  sub  thread  is 
generated,  it  starts  to  monitor  the  branch  instruction  same  as  main  thread. 
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The  following  codes  are  used  to  set  the  hook  of  thread  generating  event  s  (CreateThreadO) 

KIRQl  Oldlrql; 

KeRaiselrql(HIGH_ LEVEL,  &Oldlrql); 

_ asm{ 

PUSHAD 


//  for  CreateThreadO 

MOV  EAX,  EBP 

//  Current  EBP 

MOV  EAX,  [EAX] 

//  Previous  EBP(ASO_Hook_INT2BH) 

MOV  EAX,  [EAX] 

//  Previous  EBP(CreateThread) 

ADD  EAX,  0x10 

//  Stack  +  10H  (IpStartAddress) 

MOV  EBX,  [EAX] 

//  EBX  <-  Thread  address 

CMP  EBX,  0x7800BE4A 

//  if  EBX  ==  Joeginthread's  start_address  (2K+SP0)  then 

JNZ  SET  MEMORYBREAK 


//for_beginthreadO 

MOV  EAX,  EBP 

//  W± <D  EBP 

MOV  EAX,  [EAX] 

//  Previous  EBP(ASOJHook_INT2BH) 

MOV  EAX,  [EAX] 

//  Previous  EBP(CreateThread) 

MOV  EAX,  [EAX] 

//  Previous  EBP(_beginthread) 

ADD  EAX,  OxOC 

//  Stack  +  OCH  (start_address) 

MOV  EBX,  [EAX] 

//  EBX  <-  Thread  address 

SET  MEMORYBREAK: 

PUSH  E6X  //  Paraml 

CALL  InstallNewIntOI Handler 

POPAD 

} 
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4.10.  About  JMP  ESP  instruction 

JMP  ESP  is  necessary  instruction  to  execute  codes  in  stack  area,  as  in  the  case  of  virus  invaded 
through  network.  The  program  codes  in  stack  area  can  be  invaded  through  buffer  overflow.  JMP 
ESP  instruction  returns  control  of  program  codes.  No  matter  the  return  address  matches  or  not 
with  the  call  origin,  it  will  be  on  the  list  of  prohibition.  Because  DOS  and  Windows  of  early 
versions  use  the  way  to  run  a  program  with  limited  memory,  the  program  codes  are  created  in  stack 
area.  In  recent  years,  OS  doesn’t  use  this  way  so  it  can  also  be  prohibited. 


JM  P  ESP  process 
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5.  BOF  test 

5.1.  BOF  sample  codes  test 

Wo  have  a  simple  BOF  test  that  SQL  slammer  attacking  to  non-patched  Microsoft.  SQL  Server2000 
using  an  emulated  program  implemented  slammer  virus  code.  This  emulated  program. 
sqlslammer.exe,  force  to  execute  notepad  up  to  infinity  when  the  program  attack  to  non  patched 
SQL  Server.  If  you  set  enable  for  the  immune  system,  the  immune  system  can  detect,  this  attack, 
and  immediately  kill  the  process  of  SQL  Server. 


5.2.  BOF  test  of  metamorphic  coding  type 

Metamorphic  coding  will  carry  out  the  BOF  detection.  This  detection  by  old  way  of  signal  pattern 
matching  was  quite  hard.  The  metamorphic  coding  has  generally  three  types 


( 1 )  Register  replacement,  type 

POP  EDX 

MOV  EDI,  0 0 0 8 H 
MOV  ESI, EBP 
MOV  EAX  000DH 
ADD  EDX,  005FH 
MOV  EDX, [EDX] 

MOV  [ESI+EAX*0000CCC9, EBX] 

POP  EAX 
MOV  EDX, 000 8H 
MOV  EDX, EBP 
MOV  EDI , D00DH 
ADD  EAX ,  0  0  5 FH 
MOV  ESI, [EAX] 

MOV  [ EDX+EDI* 0000CCC9 ] , ESI 


(  2  )  Magic  number  exchanging  type 

MOV  DWORD  PTR  [ESI]  ,11000000H 
MOVDWORD  PTR 
[ESI+0004] , 110000FFH 
MOV  EDI, 11 OOOOOOH 
MOV  [ESI], EDI 
POP  EDI 
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PUSH  EDX 

MOV  DH , 4  0 

MOV  EDX, 11000 OFFH 

PUSH  EBX 

MOV  EDX, EBX 

MOV  [ ESI+0004 ] , EDX 

MOV  EDX, 11000000H 

MOV  [ESI], EBX 

POP  EDX 

PUSH  ECX 

MOV  ECX, 11000000H 
ADD  ECX, 000 00 OFFH 
MOV  [ESI+0004] , ECX 

(  3  )  Control  order  changing  type 

INSTRUCTION_A 
INSTRUCTION^  B 
INST  RU CT I  ON__C  : 

LABEL  2.  '• 

INSTRUCTION  B 
JMP 

FAKE  INSTRUCTIONS 
LABEL_3 : 

INSTRUCTION^ 

START: : 

LABEL  1: 

INSTRUCT ION_A 
JMP 

FAKE  INSTRUCTIONS 
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In  the  three  cases  showed  above,  there  is  signature  change  after  linkage.  IMMUNE  system 
successfully  detected  BOF  and  terminated  the  process  since  the  buffer  overflow  generated  in  all  the 
three  cases. 
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6.  Extension  of  IMMUNE  system 

6.1.  For  Windows  XP  machine 

This  system  is  suitable  for  Microsoft  Windows  2000.  The  following  points  should  be  taken  care  when 
dealing  with  Windows  XP. 

CD  Operation  after  process  detection 

In  Windows  XP,  the  notice  can't  he  captured  even  though  the  breakpoints  were  set  at  the  very 
beginning  of  process.  The  following  changes  must  be  made. 


_ asm{ 

PUSHAD 
MOV  EAX,  CRO; 

PUSH  EAX 

AND  EAX,  -(0x10000) 

MOV  CRO,  EAX  //  Remove  specialized  memory  flag  of  reading 

} 

char  *TaleOflmage  =  (char  *)((ULONG)lmagelnfo->lmageBase  +  lmagelnfo->lmageSize  -  32); 

if  ((Ta!eOflmage[5]  ==  (char)0xCD) 

&&  (TaleOflmage[6]  ==  (char)0x20) 

&&  (TaleOflmage[7]  ==  (char)0xE9)){ 

//Already  patched 

}else{ 

//  Replace  the  process 
memcpy(TaleOflmage,  EntryPoint,  5); 

TaleOflmage[5]  =  (char)0xCD;  //  INTxx 

TaleOflmage[6]  =  (char)0x20;  //  0x20 

TaleOflmage[7]  =  (char)0xE9;  //  far  JMP 

*(ULONG  *)&TaleOflmage[8]  =  (ULONG)EntryPoint  -  (ULONG)TaleOflmage  -  7; 
EntryPoint[0]  =  (char)0xE9;  //  far  JMP 

‘(ULONG  *)&EntryPoint[1]  =  (ULONG)TaleOflmage  -  (UlONG)EntryPoint  -  5; 
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(D  Detect,  the  thread  generating 

The  native  API  call  mode  of  processor  supporting  SYSENTER/SYSEXIT  instruction  is  changed  in 
Windows  XP.  So.  the  old  way  of  INT  2EH  hook  can't  he  used  any  more.  Only  the  native  API  service 
table  replacement  should  be  used. 


KIRQL  Oldlrql; 

KeRaise Irql(lII GI  I_.LEVE  L,  &01dlrql) ; 


PServiceDescriptorTableEntry  Table  =  &KeServiceDescriptorTable! 
OldNtCreateThread  =  (NTCREATETHREAD)Table->ServiceTableBase[0x35j; 
Tabie->ServiceTableBase[0x35]  =  (unsigned  intlNewNtCreate1 Thread; 


KeLowerlrql  (Oldlrql); 
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Appendix  1  Setup 

The  component  of  the  module 


Name 


Remark 


AntiStackOverflow.sys 


IMMUNE  Driver 


ASOFace.exe 


IMMUNE  GUI 


IMMUNE. reg 


Registry  file  for  starting  IMMUNE  Driver 


Installation 


1 .  Copy  IMMUNE  driver  file 

Copy  AntiStackOverflow.sys  to  the  directory  of  %SystemRoot%¥System32¥drivers 

2.  Create  registry 

Double  click  IMMUNE. reg  to  create  a  registry  for  starting  the  IMMUNE  driver 

3.  Enable  IMMUNE  system 
Restart  Windows 

4.  Customize  detecting  target  process 

It's  able  to  change  the  name  of  detecting  target  process  by  changing  the  value  of  the 
following  registry. 


Key: 

H  KE  Y_LO  CAI  j_M ACI II  NEYS  Y  STEMYCurrent  ControlSe  tYService  sYAntistackover  flo 

wYParameters 

Value.:  AppName 

The  default  value  is  sqlservr.exe 
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